Earlier today, photo-messaging application Snapchat unveiled new features that enable users to chat directly within the application, a frequently requested feature. The addition of this feature, while an improvement, provides the individuals responsible for Snapchat spam a new feature to play with in their efforts to target users of the service.

History of Snapchat Spam

Figure 1. Previous iterations of porn and dating spam on Snapchat

We have writtennumerousblogs about the rise of Snapchat spam over the last six months. The common thread in each of these spam campaigns was that they were all hindered by the lack of chat functionality. This roadblock presented a challenge to spammers, which led to a common workaround. Each of the spam “snap” messages sent to users featured a caption that asked them to manually perform one of the following actions:

Add an attractive girl on Kik messenger

Visit a website intended to push diet spam

Inform them that they won a gift card or prize that could only be redeemed at an external website

Figure 2. Previous iterations of diet spam on Snapchat

The Future of Snapchat Spam

Now that the chat functionality is native to Snapchat, spammers can remain within the application itself and tailor their spam to work with this new functionality in mind. They can start building chat bots that communicate directly with Snapchat users or find new ways to trick users into clicking on links.

While spammers can send links within chat messages, the way they appear to the recipient can vary. For messages from non-friends, the links cannot be clicked on. For messages from friends, the links are active and clickable.

Understand that spammers are determined and will find ways to adapt. For instance, a spam campaign could begin with an initial photo message of a scantily clad woman that offers “sexier pictures” if a user adds them as friends to ensure that their links would be clickable as the campaign continues.

Review your privacy settings

Now would be a good time to review your Snapchat privacy settings and make sure that only your friends can send you snaps. Please note that even if you restrict who is allowed to send you snaps, you can still receive friend requests from spammers.

We’re keeping an eye out for new spam campaigns using this new feature and we think you should too. Tweet us @threatintel if you come across new Snapchat spam.

In the latest Snapchat spam developments, an increasing number of the photo-sharing app’s users have been sending out spam pictures of fruits or fruit-based drinks to their contacts, which directs them to websites called “Frootsnap” and “Snapfroot”.

Figure 1. Fruit spam on Snapchat

While Symantec has been trackingSnapchat spam for months, this is the first case in which the spam does not originate from fake accounts, but those belonging to real users. These accounts have been compromised to push diet spam.

Instagram users might recall similar campaign last summer, where a number of accounts were compromised to post similar images and messages, extolling the virtues of a miracle diet fruit.

Snapchat users visiting the websites frootsnap.com or snapfroot.com will be redirected to a fake page which has copied the template similar to a Groupon deal website. The page also claims to offer a free 30-day supply of a weight-loss supplement, commonly referred to as diet pill spam.

Figure 2. Website claims to offer weight-loss supplements

The site has no affiliation with Groupon, but uses its likeness to make the offer seem legitimate. If users try to redeem these free pills, they are redirected to a secondary site called securehlthbuyer.com. This site has been associated with securebuyerpath2.com, which has received complaints about excessive charges.

As of now, Symantec does not know how the legitimate accounts were compromised. We reached out to Snapchat before this blog was published to assist them in their investigation, and while we continue to work with them, they provided us with the following statement:

“Yesterday a small number of our users experienced a spam incident where unwanted photos were sent from their accounts. Our security team deployed additional measures to secure accounts. We recommend using unique and strong passwords to prevent abuse.”

We also came across reports of Snapchat users deleting the app from their phone hoping the spam messages would cease. However, this will not stop the spam. If your account has been caught sending out these spam messages, the best thing to do is to change your password immediately.

Figure 3. How to change your Snapchat password

You can change your Snapchat password through the Snapchat web form or through the application itself, by navigating to the Support section under Settings, as shown in Figure 3.

Each of these spam messages includes a request to “Add my kik”, along with a specially crafted user name on the Kik instant messaging application for mobile devices.

Figure 2. Snapchat with a digital camera? It’s a trap!

After engaging these spam bots on Kik Messenger, this spam campaign is using a type of spam chat bot-script we discovered on Tinder last summer.

Figure 3. Spam bot using a familiar chat script on Kik

An interesting discovery from this campaign is the use of compromised custom URLs belonging to small websites and popular brands. Spammers have found a way to create their own links using branded short domains in order to entice users into a false sense of security.

Figure 4. Well-known branded short domain directs users to spam

The following are some of the compromised branded short domains we identified:

Symantec has been working closely with Bitly to investigate and shut down any spammer use of branded short URLs. Bitly has confirmed that some spammers obtained Bitly API keys belonging to various brands. Some of the brands affected used the AddThis social bookmarking service who recently stopped requiring users to reveal their API key in plain text as part of the AddThis website embed code.

Figure 6. Note from AddThis support page regarding API key safety

Public exposure of API keys gives anybody the ability to compromise accounts and, in this case, create short URLs using other people’s domains.

Users of the AddThis service should refer to this support article on how to secure API keys. Bitly javascript:void(0);users should follow Bitly API best practices to ensure the security of API keys.

The recent spam campaign targeting Snapchat users should not be surprising. Scammers and spammers will always target new and popular apps—like Snapchat—as soon as they gain a large enough user base. To prevent spam snaps from appearing in your Snapchat feed, Symantec recommends users change their Snapchat privacy settings to receive snaps from “My Friends” only and use caution when receiving unsolicited messages or friend requests.

Over the past week, users of the photo messaging application Snapchat have seen an increase in the number of spam snaps (Snapchat pictures). The service is now being infiltrated by a myriad of fake accounts sending spam snaps of topless women.

Figure 1. Spam accounts on Snapchat

Snapchat users are currently receiving requests from accounts named similarly, using the following format: “[GIRL’S NAME]snap_####”. Each request features a pending snap from these spam accounts. Despite the app offering privacy settings to only allow snaps from friends, users can still receive add requests from unknown users. Some Snapchat users we spoke to have noticed an increase in these requests over the last week.

Figure 2. An example of a spam snap with a topless woman

If a user accepts one of these requests, they will receive a spam snap of a nude woman. While the photo may vary, each snap includes the caption, “Add me on KIK for nudes swap ;)” along with a username on Kik Messenger, an instant messaging application for mobile devices.

Moving to Kik Messenger gives spammers the opportunity to leverage porn bots, fake accounts that engage with users by using a predefined script that promises more nude photos.

The porn bot offers more nude photos, but only if the user clicks on a link to install a mobile application first. To make sure the user installs the application, the bot requires proof and requests a screenshot from the app before sending more nude photos.

Figure 3. An example of a porn bot on Kik Messenger

If a user clicks on the link, a series of redirects occurs through affiliate programs, leading to games hosted on Apple’s iOS app store or the Google Play store. We have found that reviews of one of the applications mention the spam from Snapchat.

Figure 4. App store review highlighting Snapchat spam

The way these spammers make money is through affiliate programs that pay for each successful installation. This is why porn bots ask for proof of installation in the chat script. From our research, there were at least 30,000 clicks through multiple short URLs, though this number may be higher when considering that there could be multiple campaigns with different short URLs in operation.

As we’ve highlighted in previousexamples, once a service becomes popular, the spammers are never far behind. With 350 million messages sent on Snapchat on a daily basis, it is no surprise that spammers have honed in on the service.

Other than porn spam, Snapchat users are also being targeted by a new campaign that uses a “secret admirer” lure in order to direct them to a website called SnapCrush. This website harvests usernames and directs users through a similar chain of affiliate programs with the same intention: to convince users to install a mobile application.

Figure 5. A new spam campaign on Snapchat

Currently, there is no way for Snapchat users to report these accounts as spam within the application itself. For now, users can report spam accounts to the service through the Report Spam section of the Snapchat support site.

Just when parents figured out SnapChat, an app that makes photo texts disappear, two new apps hit the social scene that achieve the same objective on both Twitter and Facebook. Twitterspirit allows a Twitter user to set a time limit for a tweet before it “self-destructs” in their feed. By using a hashtag (#) denoting any Read more…